b'Audit Report\n\n\n\n\nOIG-11-112\nINFORMATION TECHNOLOGY: BEP\'s Network and Systems\nSecurity Was Found to Be Insufficient\n\n\n\nSeptember 30, 2011\n\n\n\n\nOffice of\nInspector General\nDEPARTMENT OF THE TREASURY\n\x0cContents\n\nAudit Report\n\n    Results in Brief ............................................................................................. 2\n\n    Background ................................................................................................. 4\n\n    Findings and Recommendations ..................................................................... 5\n\nAppendices\n\n    Appendix     1:      Objectives, Scope, and Methodology ......................................              22\n    Appendix     2:      Management Response .........................................................          24\n    Appendix     3:      Screenshots of Real-Time BEP User Activity ............................                29\n    Appendix     4:      Major Contributors to This Report ...........................................          31\n    Appendix     5:      Report Distribution ................................................................   32\n\nAbbreviations\n\n    BEP                  Bureau of Engraving and Printing\n    BIOS                 Basic Input Output System\n    CIO                  Chief Information Officer\n    HTTPS                Hypertext Transfer Protocol Secure\n    IT                   Information Technology\n    JAMES                Joint Audit Management Enterprise System\n    OCIO                 Office of the Chief Information Officer\n    OIG                  Treasury Office of Inspector General\n    OPTR                 Office of Privacy, Transparency, and Records\n    OMB                  Office of Management and Budget\n    USB                  Universal Serial Bus\n\n\n\n\nBEP\'s Network and Systems Security Was Found to Be Insufficient (OIG-11-112)                    Page 1\n\x0c                                                                               Audit\nOIG\nThe Department of the Treasury\n                                                                               Report\nOffice of Inspector General\n\n\n\n                        September 30, 2011\n\n                        Larry R. Felix\n                        Director\n                        Bureau of Engraving and Printing\n\n                        The objective of this audit was to determine whether sufficient\n                        protections were in place to prevent and detect intrusions into the\n                        Bureau of Engraving and Printing\xe2\x80\x99s (BEP) network and systems.\n\n                        To accomplish our objective, we performed an internal vulnerability\n                        assessment and penetration test of BEP\xe2\x80\x99s network and systems.\n                        We also tested BEP\xe2\x80\x99s internet-facing websites external to BEP\xe2\x80\x99s\n                        network using only information available to the general public.\n                        Additionally, we performed a social engineering test to determine\n                        whether BEP users were aware of, and carrying out their\n                        responsibilities, in protecting the bureau\xe2\x80\x99s information technology\n                        (IT) resources.\n\n                        We performed our fieldwork at BEP headquarters location in\n                        Washington, DC, from May 2010 through April 2011. The audit\n                        was performed in accordance with generally accepted government\n                        auditing standards. Our objectives, scope, and methodology are\n                        described in appendix 1.\n\nResults in Brief\n                        We determined that BEP did not establish sufficient protection for\n                        its network and systems and should enhance its security controls\n                        to protect against threats posed by malicious insiders. Specifically,\n                        during our social engineering exercise, we successfully persuaded\n                        23 BEP users to give us access to their computers (100 percent of\n                        those attempted) using their accounts. While impersonating BEP\n                        contractors with unescorted access to the facility, every user\n                        whom we approached gave us full access to their computer\n                        without challenge. In fact, in one instance, a BEP employee\n                        observed us standing at the door to a restricted area. Rather than\n\n\nBEP\'s Network and Systems Security Was Found to Be Insufficient (OIG-11-112)   Page 2\n\x0c                        question our presence, he opened the door and let us in, giving us\n                        unescorted access to the entire administrative area.\n\n                        Our work also identified significant deficiencies in BEP\xe2\x80\x99s network\n                        and systems related to its patch management processes and\n                        system configurations. Specifically, we found critical vulnerabilities\n                        because of a number of missing security patches, some more than\n                        1 year old. For example, we were able to gain system-level access\n                        to a BEP desktop missing an 8 year old patch, and user-level\n                        access to a BEP server missing a 3 year old patch. By taking\n                        advantage of these vulnerabilities, we were able to gain full access\n                        to the desktop, where we were able to create, edit, delete, and\n                        move files. We were also able to access files and databases on the\n                        server.\n\n                        Finally, we noted that BEP did not fully comply with the Office of\n                        Management and Budget (OMB) Memorandum M-10-22, \xe2\x80\x9cGuidance\n                        for Online Use of Web Measurement and Customization\n                        Technologies\xe2\x80\x9d (June 25, 2010). This memorandum emphasizes the\n                        need to safeguard the privacy of the American public while\n                        increasing the Federal Government\xe2\x80\x99s ability to serve the public by\n                        improving and modernizing its activities online. To that end, the\n                        guidance applies to any Federal agency use of web measurement\n                        and customization technologies by providing clear, firm, and\n                        unambiguous protection against any uses that would compromise\n                        or invade personal privacy. This guidance is not limited to any\n                        specific technology or application (such as persistent cookies), 1\n                        and includes Federal agency use of third-party web measurement\n                        and customization technologies.\n\n                        Considering the deficiencies we identified during the course of this\n                        audit and subsequent discussions regarding them with the BEP\n                        Chief Information Officer (CIO) and his staff, we were concerned\n                        over the state of BEP\xe2\x80\x99s network and systems security and what we\n                        found to be a lack of effective oversight exercised by its CIO.\n\n\n\n1\n The term \xe2\x80\x9ccookie\xe2\x80\x9d covers a wide array of techniques used to track information about web site usage.\nThis report uses the term as shorthand for \xe2\x80\x9cpersistent cookie,\xe2\x80\x9d a web technology that can track the\nactivity of users over time and across different web sites. (From OMB \xe2\x80\x9cCookies Letter, 07-28-00,\xe2\x80\x9d\nhttp://www.whitehouse.gov/omb/inforeg_cookies_letter72800). OMB M-10-22 identifies persistent\ncookies as a specific technology used in web measurement and customization.\n\n\nBEP\'s Network and Systems Security Was Found to Be Insufficient (OIG-11-112)        Page 3\n\x0c                        We are making a number of recommendations to the Director of\n                        BEP to address the weaknesses identified during the course of this\n                        audit. Among those recommendations are the need to reinforce and\n                        enhance security awareness training, emphasizing the malicious\n                        insider threat, conduct periodic social engineering tests to assess\n                        the effectiveness of user security awareness training, improve\n                        BEP\xe2\x80\x99s patch management process to ensure that all critical patches\n                        are applied on a timely basis, and ensure the antivirus central\n                        server and the intrusion detection system records and maintains all\n                        information security alerts.\n\n                        In a written response to a draft copy of this report, BEP\n                        management provided us with its planned corrective actions, and\n                        discussed those corrective actions it already has underway. BEP\xe2\x80\x99s\n                        response meets the intent of our recommendations. BEP\xe2\x80\x99s written\n                        response is included in appendix 2.\n\nBackground\n                        The Federal Information Security Management Act, Title III of the\n                        E-Government Act of 2002, requires each federal agency\xe2\x80\x99s\n                        information security program to provide information security for the\n                        information and information systems that support the operations\n                        and assets of the agency. The program should include periodic\n                        assessments of the risk and magnitude of the harm that could\n                        result from the unauthorized access, use, disclosure, disruption,\n                        modification or destruction of information and information systems\n                        that support the operations and assets of the agency. Specifically,\n                        agencies are required to perform periodic testing and evaluation of\n                        management, operational, and technical controls of information\n                        systems depending on risks; and institute a process for planning,\n                        implementing, evaluating and documenting remedial action to\n                        address any deficiencies or exploits. An independent network and\n                        system security assessment, like this one, is performed to validate\n                        the controls that have been put in place are functioning properly.\n\n                        BEP\xe2\x80\x99s mission is to design and manufacture high quality security\n                        documents that deter counterfeiting and meet customer\n                        requirements for quality, quantity, and performance. BEP\xe2\x80\x99s primary\n                        function is to print billions of dollars, referred to as Federal Reserve\n                        Notes, each year for delivery to the Federal Reserve System. As\n\n\n\nBEP\'s Network and Systems Security Was Found to Be Insufficient (OIG-11-112)    Page 4\n\x0c                        the government\xe2\x80\x99s printer, the BEP\xe2\x80\x99s customers and stakeholders\n                        expect and demand the highest degree of security. An\n                        unauthorized attack or system intrusion on BEP\xe2\x80\x99s network and\n                        systems could be detrimental to that mission by putting at risk the\n                        government\xe2\x80\x99s ability to print paper money and other security\n                        documents.\n\nFindings and Recommendations\n\nFinding 1               Security Awareness Training Program Did Not Harden\n                        Users Against Social Engineering Attacks\n\n                        We determined that BEP\xe2\x80\x99s security awareness training program did\n                        not harden users against social engineering attacks. As a\n                        consequence, users allowed unknown individuals, our auditors\n                        posing as BEP contractors, complete access to their computers.\n                        During our social engineering test, we successfully persuaded all\n                        23 BEP users we approached (100 percent) to give us full access\n                        to their computers without challenging our credentials. Specifically,\n                        we approached the users and asked them if we could \xe2\x80\x9ccheck the\n                        antivirus software\xe2\x80\x9d installed on their computers without identifying\n                        ourselves. We intentionally turned our BEP-issued contractor\n                        badges inward so that the users could not see our names and\n                        pictures on the badges. Even though we were unknown to the\n                        users we approached, none of them challenged us or asked to see\n                        our badges or any paperwork. In short, these users allowed\n                        individuals, whose only visible credential was the back side of a\n                        contractor badge, complete access to their computers.\n\n                        At each system, we either asked the user to stay logged in or to\n                        log back in for us. Some of these users stayed and watched us use\n                        their computers (e.g., extracting files, running executables, and\n                        using the command prompt), while others left us alone. In every\n                        case, we were given complete access to the computer without the\n                        user visibly displaying any degree of skepticism or even asking our\n                        names. Once on the computer, we took full control with the user\xe2\x80\x99s\n                        access level. We then used applications stored on our Universal\n                        Serial Bus (USB) thumb drive and Compact Disc we brought with\n                        us to extract data from their computers and view their files. As a\n                        result, we were able to, among other things, find and extract\n                        Personally Identifiable Information from some of the computers.\n\n\nBEP\'s Network and Systems Security Was Found to Be Insufficient (OIG-11-112)   Page 5\n\x0c                        Examples of the types of Personally Identifiable Information we\n                        were able to access included BEP employee names, social security\n                        numbers, places of birth, time in government, entry on duty dates,\n                        and mid- and end-of-year performance appraisals.\n\n                        On one occasion, a BEP employee held the door open, allowing us\n                        to enter a restricted administrative area unescorted. At the time,\n                        our badges were still facing inward, and the employee did not\n                        challenge our motives for entry. Once inside the secured area, we\n                        were able to gain access to additional computers.\n\n                        On the 2nd day of our social engineering test, the BEP Chief of\n                        Office of Critical Infrastructure and IT Security told us that five BEP\n                        users from the previous day\xe2\x80\x99s social engineering test had verbally\n                        reported our activities. However, BEP was not able to provide us\n                        with any help desk tickets documenting those reports.\n\n                        The other 18 users did not report our activities to anyone.\n                        Therefore, at best, five targeted users were suspicious enough of\n                        our activities to call security after we left, but not suspicious\n                        enough to ask our names or to see our credentials before allowing\n                        us access to their computers. The other 18 users displayed no\n                        concern or presumably deemed our presence as nothing more than\n                        a minor disruption.\n\n                        All BEP users must sign BEP IT Rules of Acceptable Use Form\n                        8394 (Rev. 1-08). These rules require, among other things, that\n                        users not let anyone else use their account or associated account\n                        privileges. Users are also supposed to notify the system\n                        administrator, the help desk, or the IT Security Division of any\n                        unusual occurrences during logging in or signing off or during use\n                        of their computer. In short, the rules clearly state that users are\n                        responsible for protecting any information used or stored by their\n                        account and those users must report any incidents of possible\n                        misuse, suspected viruses or IT security incidents or weaknesses in\n                        IT security to the help desk.\n\n                        Based on this test, even though BEP had an established annual user\n                        security awareness training program, we found an alarmingly high\n                        failure rate of BEP\xe2\x80\x99s security awareness practices.\n\n\n\n\nBEP\'s Network and Systems Security Was Found to Be Insufficient (OIG-11-112)   Page 6\n\x0c                        When we spoke subsequently with several users who had given us\n                        access to their computers, they told us that they did not remember\n                        the same set of circumstances that we presented to them. For\n                        example, one user said that he thought his computer was logged-\n                        off when he left us at his desk, and another user said that he\n                        assumed we were contractors from BEP\xe2\x80\x99s help desk.\n\n                        We believe BEP users\xe2\x80\x99 susceptibility to these types of attacks may\n                        be attributed to, at least in part, the lack of regular social\n                        engineering training. Part of this training would include\n                        unannounced social engineering tests to reinforce user awareness\n                        and provide an understanding of how users can defend themselves\n                        and BEP against social engineering attacks. BEP could also use\n                        these opportunities to communicate the possible consequences of\n                        a breach to include compromising the confidentiality, integrity, and\n                        availability of BEP information.\n\n                        Recommendations\n\n                        We recommend that the Director of BEP do the following:\n\n                        1.     Reinforce and enhance through BEP\xe2\x80\x99s regular user awareness\n                               training the following social engineering countermeasures:\n                             \xe2\x80\xa2     Users should be instructed/reminded to request the\n                                   identification of unfamiliar individuals who are requesting\n                                   access to their BEP computers.\n                             \xe2\x80\xa2     Users should be instructed/reminded to log-off or lock their\n                                   computers any time they leave their computers\n                                   unattended.\n                             \xe2\x80\xa2     Users should be instructed/reminded to not allow anyone\n                                   else to use their BEP credentials or accounts, including\n                                   those from the BEP help desk.\n                             \xe2\x80\xa2     Users should be instructed/reminded to not allow anyone\n                                   into secure areas without valid credentials.\n                             \xe2\x80\xa2     Users should be instructed/reminded to inform BEP help\n                                   desk if they notice unauthorized individuals accessing BEP\n                                   computers or secure areas.\n\n                        Management Response\n\n                        BEP management stated that its employees are required to take the\n                        required training program established and maintained by Treasury\n\n\nBEP\'s Network and Systems Security Was Found to Be Insufficient (OIG-11-112)    Page 7\n\x0c                        on the Treasury Learning Management System. BEP will request\n                        that the Treasury office that manages the training program include\n                        additional instructions related to the risk posed by malicious\n                        insiders. Additionally, BEP will prepare an \xe2\x80\x9cAll Employee E-mail\xe2\x80\x9d\n                        and an article in the monthly Communicator to reinforce the items\n                        in the recommendation.\n\n                        OIG Comment\n\n                        Management\xe2\x80\x99s planned corrective actions are responsive to our\n                        recommendation. BEP management will need to establish definitive\n                        dates for when they expect these corrective actions to be\n                        implemented.\n\n                        2.    Conduct periodic social engineering tests to assess the\n                              effectiveness of user security awareness training.\n\n                        Management Response\n\n                        BEP management stated that it will augment its current testing\n                        with additional scenarios associated with malicious insider threats\n                        similar to those utilized during this test. The first roll out of these\n                        new tests will occur prior to the end of calendar year 2011.\n\n                        OIG Comment\n\n                        Management\xe2\x80\x99s planned corrective action is responsive to our\n                        recommendation\n\n\nFinding 2               BEP\xe2\x80\x99s Patch Management Process Was Not Effective in\n                        Protecting Its Network and Systems\n\n                        We determined that BEP\xe2\x80\x99s patch management 2 process was not\n                        effective because a substantial number of critical3 patches were\n                        missing from bureau desktops and servers. As a result, BEP\xe2\x80\x99s\n\n2\n  Patch management is a security practice designed to prevent the exploitation of IT vulnerabilities that\nexist within an organization. The expected result is to reduce the time and money spent dealing with\nvulnerabilities and exploitation of those vulnerabilities.\n3\n  A critical vulnerability is a remote exploit, granting root or administrator access, or having an active\nworm or virus spread in the public realm.\n\n\nBEP\'s Network and Systems Security Was Found to Be Insufficient (OIG-11-112)             Page 8\n\x0c                        network and systems were not fully safeguarded, leaving them\n                        vulnerable to attacks from malicious insiders. We also found that\n                        BEP management did not document its rationale for not applying\n                        critical patches.\n\n                        We scanned 1,136 desktops at BEP headquarters in Washington,\n                        DC, and found that BEP\xe2\x80\x99s desktops were missing a total of 220\n                        critical patches. Of those 220 missing critical patches, 60 percent\n                        were more than 1 year old. Similarly, we scanned 95 servers at\n                        BEP, and found those servers were missing a total of 152 critical\n                        patches. Of those 152 missing critical patches, 50 percent were\n                        more than 1 year old. In all, over half of the missing critical patches\n                        we identified were more than 1 year old without any documented\n                        explanation as to why BEP did not install the patches.\n\n                        Among the missing critical patches that we identified were one\n                        from a desktop, missing since 2002, and one from a server,\n                        missing since 2007. Using that information, we were able to\n                        successfully exploit both the desktop and server.\n\n                        With regard to the desktop exploitation, we were able to gain\n                        remote system-level access on that computer. This access allowed\n                        us to create, edit, delete, and move files. It enabled us to remotely\n                        retrieve files, take screenshots, and run our programs on the target\n                        desktop. We were also able to extract the local Security Accounts\n                        Manager 4 file and decrypt the password of a local account with\n                        administrative privileges for that computer.\n\n                        During this process, we viewed real-time user activity. For\n                        example, we saw a BEP user viewing a scanned copy of a $10\n                        note on his desktop. Our remote view of the compromised desktop\n                        also allowed us to see that the user appropriately received an\n                        antivirus notification, while our attack was taking place. To our\n                        surprise, however, we also saw that user disregard the antivirus\n                        notification by moving it to the bottom of the screen, and continue\n                        to work. Appendix 3 contains two remote screenshots we took of\n                        the exploitation just described; the screenshots capture the real-\n                        time antivirus notification that was received by the user and the\n\n4\n  Security Accounts Manager is a registry file in Windows NT, Windows 2000, and later versions of\nWindows. It stores users\xe2\x80\x99 passwords in a hashed format (in LM hash and NTLM hash). Obtaining this\ninformation enables someone to decrypt passwords.\n\n\nBEP\'s Network and Systems Security Was Found to Be Insufficient (OIG-11-112)       Page 9\n\x0c                        user moving that notification to bottom of the screen so that he\n                        could continue to work. It should be noted that portions of the\n                        screenshots included in appendix 3 have been redacted.\n\n                        Following up on the antivirus notification, BEP management told us\n                        that the antivirus central server did not log this incident. BEP\n                        followed-up with the vendor of the antivirus software to determine\n                        why the antivirus central server failed to log the incident. At the\n                        time of this report, the software logging failure remained\n                        unresolved.\n\n                        With regard to our server exploitation, we were able to gain user-\n                        level access, allowing us to create, edit, delete, and move files, as\n                        well as access a database. Similar to the desktop exploitation,\n                        BEP\xe2\x80\x99s intrusion detection system failed to log our activities on the\n                        server.\n\n                        In interviews with BEP management, we were told that the IT\n                        Security Division (IT Security) is responsible for identifying\n                        vulnerabilities in BEP\xe2\x80\x99s network and systems and reporting them to\n                        the IT Technical Support Division (IT Operations) for remediation\n                        via a ticketing system. However, we found that not all of these\n                        vulnerabilities were being remediated. According to the IT\n                        Operations Chief, some tickets were being closed without full\n                        remediation. IT Security told us they ran regular vulnerability scans\n                        and generated a help desk ticket so that IT Operations could\n                        remediate the vulnerabilities discovered by the scans. IT Operations\n                        would then apply most of the patches and close the ticket because\n                        some of the patches were deemed not applicable or would present\n                        a risk to some IT resources. However, IT Operations did not\n                        document the rationale/business reasons why these patches were\n                        not applied. Also, IT Security could not tell us if the same\n                        vulnerabilities were discovered in consecutive scans because they\n                        did not analyze of the vulnerabilities to determine if the same\n                        vulnerabilities were repeatedly being reported.\n\n                        We were so concerned about what we had found that we provided\n                        BEP\xe2\x80\x99s CIO staff with the reports generated by our automated\n                        assessment tools in July 2010, so that timely corrective actions\n                        could be taken. The reports provided details on specific\n                        vulnerabilities detected and exploited, and the suggested actions\n                        needed to address them.\n\n\nBEP\'s Network and Systems Security Was Found to Be Insufficient (OIG-11-112)   Page 10\n\x0c                        During the Notifications of Findings and Recommendations meeting\n                        held in January 2011, we were surprised to learn that BEP had not\n                        reviewed the reports because they found the tool-generated reports\n                        too copious. Therefore, no corrective action or mitigation was\n                        taken with respect to the vulnerabilities that we had identified 6\n                        months earlier.\n\n                        According to BEP IT Security Policy and Procedures Manual, No.\n                        10-08.35 (August 1, 2005), the manager of IT Operations is\n                        responsible for ensuring that systems and applications are\n                        maintained with the proper updates and security patches, and for\n                        providing status on the state of the current IT infrastructure, to\n                        include implementing, documenting, and monitoring patches,\n                        workarounds and updates. Treasury CIO memorandum M-06-01,\n                        \xe2\x80\x9cImproving the Department\xe2\x80\x99s Security Plan of Action and Milestone\n                        Process\xe2\x80\x9d (March 24, 2006) 5 requires that security weaknesses be\n                        entered into the Plan of Action and Milestones to provide an\n                        auditable trail of the weakness remediation. Treasury Directive\n                        Publication 85-01, \xe2\x80\x9cTreasury Information Technology Security\n                        Program\xe2\x80\x9d (June 9, 2009), control S-PM.2 requires that bureaus\n                        ensure security patches are tested and installed on a timeline in\n                        accordance with the criticality of the patches. Additionally, the\n                        National Institute of Standards and Technology Special Publication\n                        800-61, \xe2\x80\x9cComputer Security Incident Handling Guide\xe2\x80\x9d (March\n                        2008), states that organizations should establish logging standards\n                        and procedures to ensure that adequate information is collected by\n                        logs and security software.\n\n                        BEP management was unable to provide us any reason for not\n                        applying the critical patches that were over 1 year old.\n                        Furthermore, IT Operations did not document the business\n                        reasons/rationale for not applying patches. The BEP IT Operations\n                        Chief acknowledged that there was no documentation for patches\n                        that were not applied, and that the unapplied patches were not\n                        entered into the Plan of Action and Milestones process as required\n                        by the Treasury CIO Memorandum M-06-01 for security\n\n\n5\n  Agency CIOs, working with other appropriate agency officials, are responsible for developing a\nPOA&M for each program and system for which a weakness was identified. The purpose of a POA&M\nis to help agencies identify, assess, prioritize, and monitor progress of corrective efforts for security\nweaknesses in programs and systems.\n\n\nBEP\'s Network and Systems Security Was Found to Be Insufficient (OIG-11-112)           Page 11\n\x0c                        weaknesses. We believe this deficiency is due, at least in part, to\n                        the absence of an adequate patch tracking system in IT Security\n                        and lack of oversight by the managers of IT Operations, IT\n                        Security, and the CIO.\n\n                        If BEP does not apply patches in a timely manner, the\n                        vulnerabilities resulting from these missing patches could put BEP\xe2\x80\x99s\n                        systems at risk for exploitation by internal and external hackers. As\n                        evidence, we compromised two systems using exploits known to\n                        the manufacturer who recommended patches 3 and 8 years,\n                        respectively, prior to our tests.\n\n                        In addition, the lack of comprehensive incident reporting further\n                        hampers BEP\xe2\x80\x99s efforts to detect attackers and deter them from\n                        gaining access to BEP\xe2\x80\x99s systems. Our test exposed a failure of both\n                        the user and the antivirus central server to identify and alert\n                        management of the security compromise. Had our attacks been\n                        malicious, BEP would not even have been aware that we\n                        compromised the targeted systems or any of the information\n                        residing on those systems.\n\n                        Recommendations\n\n                        We recommend that the Director of BEP do the following:\n\n                        3.    Improve the patch management process to ensure that all\n                              critical vulnerabilities are patched, mitigated, or justified as to\n                              why the risk of not patching was accepted (e.g., business\n                              reasons) in a timely manner. Additionally, vulnerabilities are to\n                              be documented in the Plans of Action and Milestones as\n                              specified in TCIO M-06-01.\n\n                        Management Response\n\n                        BEP management stated that it will continue to improve the patch\n                        management process by proactively addressing flaws exposed in\n                        deployed hardware and software products and remains committed\n                        to following best practices regarding patch management and\n                        maintaining a defense-in-depth architecture to manage risks\n                        throughout the enterprise.\n\n\n\n\nBEP\'s Network and Systems Security Was Found to Be Insufficient (OIG-11-112)    Page 12\n\x0c                        OIG Comment\n\n                        Management\xe2\x80\x99s planned corrective action meets the intent of our\n                        recommendation. However, we would like to emphasize that the\n                        critical vulnerabilities that we identified allowed us unauthorized\n                        access to sensitive information. Furthermore, BEP will need to\n                        review the missing patches that allowed for the critical\n                        vulnerabilities that we identified and determine whether to mitigate\n                        or accept the vulnerabilities as risks. In addition, unmitigated\n                        vulnerabilities are to be documented in the Plans of Action and\n                        Milestones as specified in TCIO M-06-01. BEP management will\n                        need to establish definitive dates that these planned actions are\n                        expected to be completed in JAMES.\n\n                        4.    Ensure the intrusion detection system and the antivirus central\n                              server are corrected to properly log all information alerts\n                              generated by desktops and servers.\n\n                        Management Response\n\n                        BEP management stated that it contacted the relevant vendors to\n                        review and verify the system configurations and confirmed the\n                        systems are functioning correctly to properly log all information\n                        alerts.\n\n                        OIG Comment\n\n                        Management\xe2\x80\x99s corrective action meets the intent of our\n                        recommendation.\n\nFinding 3               Some BEP Systems Were Configured With Ineffective\n                        Security Settings\n\n                        We found that some of BEP systems were configured with\n                        ineffective security settings, resulting in critical vulnerabilities. As\n                        we demonstrated, some of these vulnerabilities put BEP systems at\n                        risk of exploitation by malicious insiders. With that said, many of\n\n\n\n\nBEP\'s Network and Systems Security Was Found to Be Insufficient (OIG-11-112)   Page 13\n\x0c                        these vulnerabilities could be eliminated through modification of\n                        security settings.\n\n                        Below are the categories of vulnerabilities we found in some BEP\n                        systems during our social engineering and penetration tests that\n                        resulted from ineffective security settings:\n\n                        \xe2\x80\xa2   Lack of full disk encryption. The hard drives of some desktops\n                            were not encrypted, which allowed us to easily gain access to\n                            BEP data.\n\n                        \xe2\x80\xa2   Basic input output system (BIOS) 6 open access. Some BEP\n                            systems were found with BIOS settings that allowed booting\n                            from alternate media devices without password prompting. This\n                            enabled us to bypass the security controls on the desktops.\n\n                        \xe2\x80\xa2   Unauthorized USB devices allowed. Some of the systems we\n                            tested allowed us to use unauthorized USB devices to access\n                            data on the systems.\n\n                        \xe2\x80\xa2   Open Windows registry access 7 . One system we tested allowed\n                            user access to the Windows registry. The availability of the\n                            registry allowed us to gather more complete and accurate\n                            information about the system we were attacking.\n\n                        \xe2\x80\xa2   Open ports. Some printers and computers were configured with\n                            open network service and telnet ports when not required by any\n                            business need.\n\n                        \xe2\x80\xa2   Weak X.509 certificate encryption. We found some systems\n                            were using weak algorithms to encrypt their certificates, which\n                            are used to authenticate computers over the BEP local area\n\n\n\n6\n  BIOS is the first code run by a computer when powered on. The BIOS primarily determines which\noperating system should be loaded.\n7\n  Microsoft Windows Registry is a hierarchical database that stores configuration settings and options\non Microsoft Windows operating systems.\n\n\nBEP\'s Network and Systems Security Was Found to Be Insufficient (OIG-11-112)         Page 14\n\x0c                            network.\n\n                        \xe2\x80\xa2   Weak Hypertext Transfer Protocol encryption. We found that\n                            some BEP systems were not using Hypertext Transfer Protocol\n                            Secure (HTTPS). It is an acknowledged best practice to\n                            implement HTTPS wherever possible to prevent the accidental\n                            transmission of sensitive information.\n\n                        \xe2\x80\xa2   Anonymous user login 8 . We found that some systems were\n                            allowing access to Oracle and network services with\n                            anonymous or null accounts, which could grant an attacker\n                            access to network services without requiring authentic user\n                            credentials.\n\n\n                        We exploited the first four of these vulnerabilities to extract\n                        personal and official information from BEP users\xe2\x80\x99 computers in the\n                        presence of those users during our social engineering test.\n\n                        According to the National Institute of Standards and Technology\n                        Special Publication 800-53, \xe2\x80\x9cRecommended Security Controls for\n                        Federal Information Systems and Organizations\xe2\x80\x9d (May 2010),\n                        organization should configure the information to provide only\n                        essential capabilities. Additionally, the SANS Institute InfoSec\n                        Reading Room paper entitled, Why Bother About BIOS Security,\n                        recommends that passwords be used on every computer in order to\n                        protect the BIOS configuration utility.\n\n                        According to BEP\xe2\x80\x99s Chief of Office of Critical Infrastructure and IT\n                        Security, the risks associated with some of the vulnerabilities were\n                        accepted due to business needs. However, there was no\n                        documentation supporting those determinations. For the other\n                        vulnerabilities that were identified, no explanation was provided.\n                        We believe this is because either BEP was unaware the\n\n\n8\n An access control quality, which can be a weakness, where a lot of secure servers allow users to\naccess general-purpose or public services and resources without owning a user-specific account that is\npre-established, something like a user name or secret password, lowering internet security and network\nsecurity because there is no secure authentication.\n\n\n\nBEP\'s Network and Systems Security Was Found to Be Insufficient (OIG-11-112)        Page 15\n\x0c                        vulnerabilities existed or unable to effectively manage the variety of\n                        hardware and software configurations in their environment.\n\n                        These categories of vulnerabilities could be exploited by malicious\n                        insiders in various ways, leaving BEP\xe2\x80\x99s systems at risk of data\n                        exposure, modification or deletion. Moreover, taking advantage of\n                        these vulnerabilities, we were able to easily gain access to an\n                        individual\xe2\x80\x99s bank website login information, as well as logins to\n                        other websites.\n\n                        Recommendations\n\n                        We recommend that the Director of BEP do the following:\n\n                        5.    Review and enhance existing vulnerability assessment\n                              procedures to better ensure critical risks are tracked and\n                              remediated.\n\n                        Management Response\n\n                        BEP management stated that it will review and enhance existing\n                        vulnerability assessment procedures to better track and mitigate\n                        critical risks.\n\n                        OIG Comment\n\n                        Management\xe2\x80\x99s planned corrective action is responsive to our\n                        recommendation. However, BEP management will need to establish\n                        a definitive date that this planned action is expected to be\n                        completed in JAMES.\n\n                        6.    Review and enhance baseline security configuration policies to\n                              provide for more effective security settings, including those\n                              related to removable media.\n\n                        Management Response\n\n                        BEP management stated that it documented configuration baselines\n                        for supporting USB-cameras, and will review its policies to\n                        determine where better documentation would be appropriate.\n\n\n\n\nBEP\'s Network and Systems Security Was Found to Be Insufficient (OIG-11-112)   Page 16\n\x0c                        OIG Comment\n\n                        Management\xe2\x80\x99s planned corrective actions are responsive to our\n                        recommendation. However, BEP management will need to establish\n                        a definitive date that this planned action is expected to be\n                        completed in JAMES.\n\n                        7.    Ensure full disk encryption is implemented on all BEP\n                              desktops.\n\n                        Management Response\n\n                        BEP management stated that full disk encryption on BEP local area\n                        network/wide area network desktops is being implemented with\n                        the Windows 7 migration. Deployment efforts are underway to\n                        complete the migration by the end of March 2012.\n\n                        OIG Comment\n\n                        Management\xe2\x80\x99s planned corrective actions are responsive to our\n                        recommendation.\n\n                        8.    Update the BIOS to prevent booting from alternate media\n                              without entering the BIOS password.\n\n                        Management Response\n\n                        BEP management stated that enhanced BIOS security on BEP local\n                        area network/wide area network desktops is being implemented\n                        with the Windows 7 migration. Deployment efforts are underway\n                        to complete the migration by the end of March 2012.\n\n                        OIG Comment\n\n                        Management\xe2\x80\x99s planned corrective actions are responsive to our\n                        recommendation.\n\n                        9.    Review printer configurations and disable unnecessary\n                              protocols.\n\n\n\n\nBEP\'s Network and Systems Security Was Found to Be Insufficient (OIG-11-112)   Page 17\n\x0c                        Management Response\n\n                        BEP management stated that it has implemented the required\n                        changes to printer configurations to disable unnecessary protocols.\n\n                        OIG Comment\n\n                        Management\xe2\x80\x99s reported corrective actions are responsive to our\n                        recommendation.\n\n                        10. Change default passwords on all BEP Oracle servers.\n\n                        Management Response\n\n                        BEP management stated that it has implemented the required\n                        changes to Oracle servers.\n\n                        OIG Comment\n\n                        Management\xe2\x80\x99s reported corrective actions are responsive to our\n                        recommendation.\n\n                        11. Replace internal systems\xe2\x80\x99 certificates with those that meet\n                            Federal Information Processing Standards, and review internal\n                            systems to determine whether HTTPS should be enabled.\n\n                        Management Response\n\n                        BEP management stated that based on the recommendation and\n                        findings, BEP has initiated a re-review of the HTTPS control usage\n                        on the internal network to identify if changes are required for\n                        specific systems. This review is being factored into each systems\n                        standard certification and accreditation review process as an\n                        ongoing effort.\n\n                        OIG Comment\n\n                        Management\xe2\x80\x99s corrective actions are responsive to our\n                        recommendation. We would like to emphasize that BEP will need to\n                        replace internal systems\xe2\x80\x99 certificates with those that meet Federal\n                        Information Processing Standards. BEP management will also need\n\n\n\nBEP\'s Network and Systems Security Was Found to Be Insufficient (OIG-11-112)   Page 18\n\x0c                        to establish a definitive date that this planned action is expected to\n                        be completed in JAMES.\n\n\nFinding 4               Public-Facing Websites Did Not Fully Comply With OMB\n                        M-10-22\n\n                        We found that the privacy policy statement posted on BEP\xe2\x80\x99s public-\n                        facing websites MoneyFactory.gov, 9 NewMoney.gov 10 and\n                        MoneyFactoryStore.gov, 11 did not fully comply with OMB\n                        Memorandum M-10-22, \xe2\x80\x9cGuidance for Online Use of Web\n                        Measurement and Customization Technologies.\xe2\x80\x9d OMB M-10-22\n                        places requirements on federal websites that use cookies, focusing\n                        on privacy policies. The goal is to respect and safeguard the\n                        privacy of the American public while allowing the Government to\n                        improve and modernize its online operations by using cookies, a\n                        practice that had been prohibited by a previous OMB memorandum.\n\n                        We found that BEP used cookies without publishing the\n                        notifications of data usage and safeguards for the privacy of its\n                        users as required by OMB M-10-22. In addition, the open\n                        government pages linked on the three websites did not provide\n                        sufficient privacy information, or publish the results of annual\n                        reviews of compliance with OMB M-10-22 and provide a means for\n                        the public to provide feedback on the results of those reviews as\n                        required.\n\n                        BEP managers told us that they were not aware of the presence of\n                        the cookies because they did not request cookies from the website\n                        hosting contractor. Regardless, BEP is responsible for complying\n                        with the OMB guidance relating to the safeguarding of the\n                        American public\xe2\x80\x99s privacy.\n\n\n\n\n9\n  http://www.MoneyFactory.gov is an alias for http://www.bep.gov and is the main public website for\nthe Bureau of Engraving and Printing.\n10\n   http://www.NewMoney.gov is a website whose content is centered on familiarizing various interest\ngroups and the public in general, about the new $100 note.\n11\n   http://www.MoneyFactoryStore.gov is the BEP\'s online store, selling currency-related items to the\npublic.\n\n\nBEP\'s Network and Systems Security Was Found to Be Insufficient (OIG-11-112)       Page 19\n\x0c                        Recommendations\n\n                        We recommend that the Director of BEP do the following:\n\n                        12. Ensure the privacy policy statement for BEP\xe2\x80\x99s public-facing\n                            websites include all elements required by OMB M-10-22.\n\n                        Management Response\n\n                        BEP management stated that BEP\'s privacy statements describe\n                        the web measurement and cookie use for the sites. BEP is working\n                        to reorganize the information presented to clearly demonstrate\n                        compliance with all elements required by OMB M-10-22. The\n                        updated privacy policies will be deployed once approved, but no\n                        later than the end of the calendar year 2011.\n\n                        OIG Comment\n\n                        Management\xe2\x80\x99s planned corrective actions are responsive to our\n                        recommendation.\n\n                        13. Perform annual reviews of BEP public-facing websites for\n                            compliance with OMB M-10-22 and report the results on the\n                            \xe2\x80\x9c/open\xe2\x80\x9d webpage of the websites.\n\n                        Management Response\n\n                        BEP management stated OMB M-10-22 does not require "/open"\n                        webpages on each website. The directive requires "/open"\n                        webpages on the Agency\'s website. For BEP, Treasury\xe2\x80\x99s website\n                        satisfied this requirement, since it has and maintains the \xe2\x80\x9c/open\xe2\x80\x9d\n                        reports required by OMB M-10-22. BEP maintains open\n                        communication with Treasury\xe2\x80\x99s Privacy Office to coordinate any\n                        required reporting requirements. To date, Treasury made no official\n                        request from BEP to publish specific reports on the "/open"\n                        webpages. BEP continues to work with Treasury to ensure\n                        compliance with OMB directives.\n\n                        OIG Comment\n\n                        Management\'s response meets the intent of our recommendation.\n                        We contacted the Office of Privacy, Transparency and Records\n\n\nBEP\'s Network and Systems Security Was Found to Be Insufficient (OIG-11-112)   Page 20\n\x0c                        (OPTR) seeking its response on BEP\'s comment regarding the "/\n                        open" web pages issue. OPTR management informed us that they\n                        did not initiate "open" web pages review and, therefore, had not\n                        posted any verification results on the Treasury\'s "/open" page.\n                        OPTR stated that intends to move forward with this in the near\n                        future, in coordination with the Treasury Office of the Chief\n                        Information Officer (OCIO). Specifically, the Treasury OCIO is\n                        revising the current directive, TD 81-08, Certification Process for\n                        the Use of Persistent Cookies on Treasury Web Sites, to\n                        incorporate OMB Memoranda M-10-22 and M-10-23. It is\n                        anticipated that OPTR and Treasury OCIO staff will jointly initiate\n                        the review requirement in FY 2012, after which the results will be\n                        posted.\n\n\n                                                         ******\n\n                        I would like to extend my appreciation to the Director of BEP and\n                        his staff for the cooperation and courtesies extended to my staff\n                        during the audit. If you have any questions, please contact me at\n                        (202) 927-5171 or Abdirahman M. Salah, IT Audit Manager, at\n                        (202) 927-5763. Major contributors to this report are listed in\n                        appendix 4.\n\n                        /s/\n\n                        Tram Jacquelyn Dang\n                        Audit Director\n\n\n\n\nBEP\'s Network and Systems Security Was Found to Be Insufficient (OIG-11-112)   Page 21\n\x0c                        Appendix 1\n                        Objectives, Scope, and Methodology\n\n\n                        The objective of this audit was to determine whether sufficient\n                        protections were in place to prevent and detect intrusions into the\n                        Bureau of Engraving and Printing\xe2\x80\x99s (BEP) networks and systems.\n                        This audit is included in the Office of Inspector General Annual Plan\n                        for 2010.\n\n                        To accomplish our objective, we utilized specialized software to\n                        conduct our vulnerability assessment, penetration test, internet-\n                        facing websites assessment, and social engineering. Specifically,\n                        we performed the following:\n\n                        \xe2\x80\xa2   We completed the vulnerability assessment and penetration\n                            tests inside BEP\xe2\x80\x99s network from an insider perspective with full\n                            knowledge of BEP and system access.\n\n                        \xe2\x80\xa2   We used statistical sampling to analyze the missing critical\n                            patches in desktop and server systems identified by our\n                            network vulnerability scans. We reviewed a random sample of\n                            55 of the 220 missing critical desktop patches and 50 of the\n                            152 missing critical server patches for the dates they were\n                            issued. We found that 33 of 55 (60 percent) missing critical\n                            desktop patches and 25 of 50 (50 percent) missing critical\n                            server patches were over 365 days old. This result was\n                            represented by a confidence level of 95 percent a sample\n                            precision of 5 percent, and expected error rate of 5 percent.\n\n                        \xe2\x80\xa2   For BEP\xe2\x80\x99s internet-facing websites that were external to BEP\xe2\x80\x99s\n                            network, we only used information available to the general\n                            public.\n\n                        \xe2\x80\xa2   We performed a social engineering test to determine whether\n                            BEP users were aware of cybersecurity threats or understood\n                            their roles in protecting agency information technology\n                            resources.\n\n                        \xe2\x80\xa2   We reviewed and analyzed documents related to BEP\xe2\x80\x99s network\n                            and systems, and interviewed BEP information technology\n                            security and operations personnel.\n\n                        We performed our fieldwork at BEP headquarters location in\n                        Washington, DC, from May 2010 through April 2011. Upon\n                        completion of our tests, we provided BEP\xe2\x80\x99s Chief Information\n\n\nBEP\'s Network and Systems Security Was Found to Be Insufficient (OIG-11-112)   Page 22\n\x0c                        Appendix 1\n                        Objectives, Scope, and Methodology\n\n\n                        Officer staff with the reports generated by our automated\n                        assessment tools in July 2010, so that timely corrective actions\n                        could be taken. The reports provided details on specific\n                        vulnerabilities detected and exploited, and the suggested actions\n                        necessary to address them. We also provided BEP management\n                        with Notifications of Findings and Recommendations along with our\n                        analysis of the issues reported by the tools we used. The results of\n                        this audit may be used to support our work undertaken in\n                        accordance with the requirements of the Federal Information\n                        Security Management Act.\n\n                        We conducted this performance audit in accordance with generally\n                        accepted government auditing standards. Those standards require\n                        that we plan and perform the audit to obtain sufficient, appropriate\n                        evidence to prove a reasonable basis for our findings and\n                        conclusions based on our audit objectives. We believe that the\n                        evidence obtained provides a reasonable basis for our findings and\n                        conclusions based on our audit objectives.\n\n\n\n\nBEP\'s Network and Systems Security Was Found to Be Insufficient (OIG-11-112)   Page 23\n\x0c                        Appendix 2\n                        Management Response\n\n\n\n\nBEP\'s Network and Systems Security Was Found to Be Insufficient (OIG-11-112)   Page 24\n\x0c                        Appendix 2\n                        Management Response\n\n\n\n\nBEP\'s Network and Systems Security Was Found to Be Insufficient (OIG-11-112)   Page 25\n\x0c                        Appendix 2\n                        Management Response\n\n\n\n\nBEP\'s Network and Systems Security Was Found to Be Insufficient (OIG-11-112)   Page 26\n\x0c                        Appendix 2\n                        Management Response\n\n\n\n\nBEP\'s Network and Systems Security Was Found to Be Insufficient (OIG-11-112)   Page 27\n\x0c                        Appendix 2\n                        Management Response\n\n\n\n\nBEP\'s Network and Systems Security Was Found to Be Insufficient (OIG-11-112)   Page 28\n\x0c                        Appendix 3\n                        Screenshots of Real-Time BEP User Activity\n\n\n\n\nBEP\'s Network and Systems Security Was Found to Be Insufficient (OIG-11-112)   Page 29\n\x0c                        Appendix 3\n                        Screenshots of Real-Time BEP User Activity\n\n\n\n\nBEP\'s Network and Systems Security Was Found to Be Insufficient (OIG-11-112)   Page 30\n\x0c                        Appendix 4\n                        Major Contributors To This Report\n\n\n\n\n                        Office of Information Technology (IT) Audit\n\n                            Tram J. Dang, Audit Director\n                            Abdirahman M. Salah, IT Audit Manager\n                            Kevin Mfume, IT Specialist\n                            Yeshorohan K. Mandadi, IT Specialist\n                            Daniel A. Jensen, IT Specialist\n                            Gerald Kelly, Referencer\n\n\n\n\nBEP\'s Network and Systems Security Was Found to Be Insufficient (OIG-11-112)   Page 31\n\x0c                        Appendix 5\n                        Report Distribution\n\n\n                        Department of the Treasury\n\n                            Office of the Chief Information Officer\n                            Office of Accounting and Internal Control\n                            Office of Strategic Planning and Performance Management\n\n                        Office of Management and Budget\n\n                            Office of Inspector General Budget Examiner\n\n\n\n\nBEP\'s Network and Systems Security Was Found to Be Insufficient (OIG-11-112)   Page 32\n\x0c'